feature: Query::push or String::bind

[Iron-E]

Hello,

I am writing an invoicing application which has required me to create a query builder for user searches on the database. Since I cannot know beforehand how many conditions a user will supply, my WHERE clauses must be written to a String before generating an sqlx::query from it. This means that my WHERE clauses are vulnerable to SQLi as you cannot bind to a String.

Thus, in order to use this query builder safely, I would need one of two things:

1. Query::push for mutable Query instances, so that I can add more to a Query and then bind my arguments.
2. String::bind (given the Database) so I can generate my string first and then call sqlx::query.

There may be another way around this that I am not thinking of, but in reading the docs I couldn't see how to either bind without a Query, nor amend a Query once formed.

I see that bind is very dependent on the ArgumentBuffers, so perhaps Query::push would be easier?

Thank you for reading this!

[abonander]

There's a couple of existing issues that cover your use case already, from different angles: #1488, #291

You can also often get around generating dynamic WHERE clauses by just making the conditions optional, e.g.:

SELECT * FROM table
   WHERE ($1::type IS NULL OR $1 = column)

[Iron-E]

Seems like #291 does what I want (and more). I'll close in favor of that.